Added CHAIN declarations

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@698 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/accounting

@@ -7,10 +7,33 @@
 #	that you define in this file. You may display these rules and their
 #	packet and byte counters using the "shorewall show accounting" command.
 #
-#	In all columns of this file, the values "-", "any" and "all" may be used
+#	Please see http://shorewall.net/Accounting.html for examples and 
-#	as wildcards
+#	additional information about how to use this file.
 #
-# Columns are:
+#	This file has two sections -- the first section is used to create a
+#	hierarchy of accounting chains. The second section creates rules to
+#	count traffic through your firewall.
+#
+# In the first section of this file, entries have the following columns:
+#
+#	ACTION	      -	Must contain CHAIN
+#
+#	CHAIN	      - The name of a chain to create. Shorewall will create
+#			this chain. If the chain already exists, a warning
+#			message is issued and the entry is ignored.
+#
+#	NEXT CHAIN    - Optional - The name of a previously-created chain
+#
+#	If the NEXT CHAIN column is empty then Shorewall will add a single
+#	RETURN rule to the chain named in the CHAIN column. If the NEXT 
+#	CHAIN column is not empty then Shorewall will add a jump from the
+#	newly-created chain to the chain named in the NEXT CHAIN column.
+#	
+#ACTION		CHAIN		NEXT CHAIN	
+
+# ADD YOUR CHAIN DECLARATIONS ABOVE THIS LINE
+#
+# Columns in the second section of this file are are:
 #
 #	ACTION	      - What to do when a match is found.
 #
@@ -19,7 +42,9 @@
 #				DONE	- Count the match and don't attempt
 #					  to match any other accounting rules.
 #				<chain> - The name of a chain. Shoreall will 
-#					  create the chain automatically.
+#					  create the chain automatically if
+#					  it was not created by an earlier 
+#					  CHAIN declaration above.
 #
 #	SOURCE	      - Packet Source
 #
@@ -46,4 +71,10 @@
 #			only be specified if the protocol is TCP or UDP (6
 #			or 17).
 #
+#	In all of the above columns except ACTION, the values "-", "any" and
+#	"all" may be used as wildcards
+#
+#	Please see http://shorewall.net/Accounting.html for examples and 
+#	additional information about how to use this file.
+#
 #ACTION	SOURCE		DESTINATION	PROTOCOL	DEST PORT   SOURCE PORT

Shorewall/changelog.txt

@@ -29,3 +29,7 @@ Changes since 1.4.6
 
 14) Fixed bug where an interface name alone appears in the DESTINATION
     column of the accounting file.
+
+15) Add ACTION column to accounting file.
+
+16) Add CHAIN declarations to accounting file.

Shorewall/firewall

@@ -1758,6 +1758,43 @@ delete_tc()
     done
 }
 
+#
+# Add an accounting chain
+#
+add_accounting_chain() {
+    chain_error() {
+	error_message "Warning: Invalid CHAIN declaration" $source $dest $protocol $port $sport
+    }	
+	
+    if [ -n "${protocol}${port}${sport}" ] ; then
+	chain_error
+	return
+    fi
+
+    if [ -z "$source" ] ; then
+	chain_error
+	return
+    fi
+
+    if chain_exists $source; then
+	error_message "Warning: Chain $source already exists - CHAIN declaration $source $dest Ignored"
+	return
+    fi
+    
+    if createchain2 $source No; then
+	if [ -z "$dest" ]; then
+	    run_iptables -A $source -j RETURN
+	    echo "   Accounting chain $source" created
+	elif iptables -A $source -j $dest ; then
+	    echo "   Accounting chain $source with next chain $dest created"
+	else
+	    chain_error
+	fi
+    else
+	chain_error
+    fi
+}
+	
 #
 # Process a record from the accounting file
 #
@@ -1793,11 +1830,16 @@ process_accounting_rule() {
 	-|all|any)
 	    ;;
 	*)
-	    rule="-i $source"
+	    if [ -n "$source" ]; then
+		rule="-i $source"
+	    else
+		accounting_error
+		return
+	    fi
 	    ;;
     esac
 
-    [ "x$dest" != x ] && case $dest in
+    [ -n "$dest" ] && case $dest in
 	*:*)
 	    rule="$rule -d ${dest#*:} -o ${dest%:*}"
 	    ;;
@@ -1811,7 +1853,7 @@ process_accounting_rule() {
 	    ;;
     esac
 
-    [ "x$proto" != x ] && case $proto in
+    [ -n "$proto" ] && case $proto in
 	-|any|all)
 	    ;;
 	*)
@@ -1819,7 +1861,7 @@ process_accounting_rule() {
 	    ;;
     esac
 
-    [ "x$port" != x ] && case $port in
+    [ -n "$port" ] && case $port in
 	-|any|all)
 	    ;;
 	*)
@@ -1827,7 +1869,7 @@ process_accounting_rule() {
 	    ;;
     esac
 
-    [ "x$sport" != x ] && case $sport in
+    [ -n "$sport" ] && case $sport in
 	-|any|all)
 	    ;;
 	*)
@@ -1873,7 +1915,14 @@ setup_accounting() # $1 = Name of accounting file
     strip_file accounting $1
 
     while read action source dest proto port sport ; do
-	[ "x$source" != x ] && process_accounting_rule
+	case $action in
+	    CHAIN)
+		add_accounting_chain
+		;;
+	    *)
+		process_accounting_rule
+		;;
+	    esac
     done < $TMP_DIR/accounting
 
     if chain_exists accounting; then

Shorewall/releasenotes.txt

@@ -131,9 +131,10 @@ New Features:
    will use all listed addresses/ranges in round-robin fashion.
 
 7) An /etc/shorewall/accounting file has been added to allow for 
-   traffic accounting.
+   traffic accounting. The file has two sections which will be
+   described in reverse order.
 
-   The file has the following columns:
+   The second seciton of the file has the following columns:
 
 	ACTION	      - What to do when a match is found.
 
@@ -194,3 +195,7 @@ New Features:
    named chain and the second is a RETURN rule which causes the
    accounting chain to be exited.
 
+   The first section of the file allows aggregation of counters in
+   chains in other chains. It does this by allowing you to create an
+   accounting chain hierarchy. This facility is described with an
+   example at http://shorewall.net/Accounting.html.